No Single Weakness: File Protection Best Practices for the Worst Case Scenario

No ReprieveIt was a sunny spring afternoon some years ago. I had been doing consulting work on a couple different projects and the hours were catching up with me. Since things were momentarily slowed, I decided to take off early and meet my wife down at the beach. I distinctly remember it being 2:30pm, but as I was packing my bag, I heard a strange sound. Repeating. Uncommon, yet with a distant familiarity. I followed it, and alas, came upon a little black piece of plastic.

Yes, my phone. I moved around so much back then I didn't usually share site phone numbers with people. I picked it up fully expecting to find someone offering me something new and exciting, impossibly secure...you know, something they would tell me they could prove. Uh huh.

OK, so back to our story. When I picked up the phone, I instantly recognized the voice on the other end of the line. It was someone I’d been speaking with on a few things, though we weren't active in any engagement. That was about to change, “We have some information that might be of interest to you. Do you have a secure email I can use?"

So much for a quiet afternoon on the beach...Compromised DataWhile I was receiving data and reaching out to relevant parties, an agency with a three-letter acronym was also reaching out to Executive ranks. After a couple hours exchanging information, we convened our first formal Incident Response meeting to plan next steps. Many networks had been breached, and not to any small extent.

As it turned out, we were dealing with an APT - Advanced Persistent Threat - carried out by a well-known group operating out of China. Their game plan was simple, straightforward, and all too common - break in, steal credentials, compromise as many systems as possible, then offload data. Pure espionage. They get in using phishing emails, watering hole attacks, social engineering, and a variety of other methods. They use memory scrapers and key loggers, local exploits and plant more malware. They steal not only local machine passwords but also network administrative credentials. Because of this, a lot of what they do looks normal to most people and many systems. Once inside a company, they can spend months if not years offloading data.

In the days and weeks that followed, we found gigabytes of compressed, password-protected archives moved to perimeter devices being offloaded to command and control servers on the Internet. Because of how data was moving and because the organization didn’t have effective security systems in place, there was almost no way of figuring out what had been taken. This was, in some respects, the worst-case scenario. But, as is often the case, we are sometimes our own worst enemies. In our initial discussions, we made it absolutely clear that we didn’t want to touch the affected equipment so we could monitor our attackers. Not 10 minutes after we had our first break, one of the senior IT admins sent out an announcement that he had stopped the bleeding by unplugging all affected machines. A hero indeed — except now his team wasn't going to have an easy time figuring out what had been compromised. This ended up costing the response team at least 6 additional weeks of work.

Threat to Sensitive InformationThis problem is a lot more common than it seems. News headlines have been full of high-profile breaches in the past year, but they almost always involve consumer product companies and financial firms. Reporters share disclosure information related to customer accounts, personal information, and banking data; host-based sensitive information breaches with corporate IP disclosure are not usually shared. If only people knew - it happens every single day.

In fact, the 2014 Verizon Data Breach Investigations Report (DBIR) indicates that around 22% of the breaches they analyzed included a cyber-espionage component. This often entails highly motivated and well-funded teams breaching networks with the specific goal of stealing sensitive data (often held in files).Further to that, there was another study a couple years ago indicating that only 20% of executives viewed sensitive information disclosure as a threat to their businesses. Let’s think about all the information that exchanges hands everyday — from customer lists to in-progress partnership and purchase agreements through company strategy, financial data, and design specifications, getting all the way to employee personal information. Most companies limit distribution of these items and don’t want it disclosed. I suspect the numbers more accurately reflect a feeling that spending isn't effective.

Protecting Host-based InformationThere are hundreds of concepts to consider when evaluating a system and deciding what to do about data protection, but I'm going to focus on protecting sensitive file-based information. We can start by looking at some simple examples but first, a reminder - data protections are most effective when applied for their intended purpose. Yes, it's obvious - but also something that I don't believe gets enough attention. Improper application ends up costing lots of money.

Back Doors, Trojans, Malware, etc.No matter what form they come in, a good portion of today’s threat to sensitive information comes from malicious software injected on a host which can farm user credentials (among other things) from your system and your network. As noted, these are common tactics for APT/ATA groups, and pretty soon it will be hard for anyone in the security business to say that they haven’t encountered this in recent work.These applications are “delivered” in many ways (e.g., social engineering, watering hole attacks, phishing and spear phishing, drive-by downloads) and they all have one thing in common in that they get on your machine, steal your credentials, and provide free reign to the data on your system.Let’s take an example of a corporate machine compromised with malware. In our example, we’ll use a Product Manager with a strain of malware that includes a key logger to record keystrokes and offload information to a machine on the Internet that he can access. Every few days the attacker gets a transcript.On Monday morning, our PM arrives at work and logs into his machine. He’s pretty aware of today’s security threats, so he’s using file encryption software that requires him to log in. Once he does, he can access his archive. In this case, it includes a customer list, an unpublished price sheet and some contracts he’s reviewing ahead of a strategic partnership that’s the key to a big splash. Our PM is not only excited, he feels good that he’s secured his data. But it’s not secure. When he logged into his encryption software, he unlocked the archive with a password that was logged and sent to a compromised server on the Internet. But doesn’t a corporate security system stop this sort of thing? Perhaps, but it doesn’t matter…Little Plastic BoxesWhen our PM finishes up his day, he heads home, has dinner with his family then checks in to see if he has any important email ahead of the next day. He’s exhausted and gets up to answer a question from his wife, then goes to bed without ever going back into his office. His machine is online — idle.Meantime, his attacker on the other side of the world gets up and goes into his office. Yes, this is his day job. Probably has a dental plan (OK it works different but you get my point - it's his full time job). He checks his resources and pulls transcripts to find the PM’s password plain as day. He searches logs and finds out that the PM is using a machine sitting outside the company network, and he spends a couple hours investigating and finds out it’s only protected by a Little Plastic Box (do you know the reference?). He rolls up his sleeves, engages his tools, and ultimately starts copying files. When he’s done, he has the encrypted files and also the PMs credentials so he can now access the encrypted information with success. Game over. Not really very secure, is it?

LPBs don’t provide any protection at all. Any outbound connection from malware on our PM's machine to the Internet not only succeeds, but goes completely unnoticed by anyone. The attacker can easily use his tools to gain further access to anything on our PM’s home network. Not only has he lost his sensitive data, but he’s also exposed his company and his home network to someone with very bad intentions. We will talk more about that in other text."That’s not going to happen to me…" We’ve all heard it, and it’s a common first reaction when going through an example like this. In all fairness, it could have already happened undetected. In my experience, that’s often the case. “That’s never happened to us — if it had, how come I haven’t heard about it?” Maybe someone unplugged a couple servers instead...

Just a couple years ago, a lot of people could count on being low-interest to avoid the need for protections. That’s not the case anymore. The new mantra is: “It’s not a question of if. It’s a question of when." But to us, that's still not good enough. In reality, they are already here.﻿"But you can’t protect data on a machine that’s been compromised…" This isn’t true, and today we have many more tools available to help us get there. DefiniSec offers protections specifically and directly focused on this very problem. While a great deal of "encryption" and "data protection" software ignores these very common host threats, our software focuses on them extensively.

Mitigating Back Door ThreatsThe malware and attacker tools I speak of go beyond key logging and can steal in-memory encryption keys, passphrases and a variety of other things. A well-designed set of tools can get away with a great deal of information — potentially any piece of information. So how can we stop it? Let’s revisit our scenario to see what kinds of things we can do.Two-Factor AuthenticationIn response to the 2012 Verizon DBIR, security firm Neohapsis stated that nearly 80% of studied breaches could have been avoided using two-factor authentication. For those that don’t know, when you attempt to authenticate, you can do so by providing information in one of three forms:

Something you know, like a password. There are many articles and topics here on how to properly use and manage user passwords. They are worth reading.

Something you have, like a phone, or a USB key. Not unlike a password, second factors must be used properly or else they are equally ineffective (and many are today).

Something you are. These authenticators come in the form of fingerprints, retinal scans, voice recognition and facial recognition, to name a few.

It’s worth noting that biometrics are very often done insecurely — cheap fingerprint readers are both readily available and very easy to bypass. It’s fairly well-known in security circles. A good option is to go with a physical token of sorts, and I personally prefer a physical token to a software token because it’s not always obvious when a certificate has been compromised. I'll know if I lose my phone (but may not if it's simply hacked, and phones are terribly insecure).

As with anything, proper design and implementation are perquisites. Some of the most advanced designs become useless when you rely on OpenSSL that’s not patched for Heartbleed.So let’s go back to the earlier example. If our PM had been using a second factor USB token and it was on his keychain, he might have had cause to take his keys with him when he walked away from his computer. Though the attacker could still get to the files, it’s possible he wouldn’t be able to decrypt them. It depends on the second-factor implementation. But had our PM left the token in the machine, it’s a different story. Though challenging, our attacker could automate attacks to remote control the target and use the protection software to decrypt and open the files, at which point he can take plaintext data.

There are a number of second-factor solutions on the market with varying levels of protective capability. Some are connected to your machine, some provide a code that must be manually entered and still others do a little bit of both using the cloud. Some provide client authentication, and others use challenge-response protocols to implement mutual authentication. Some generate changing information on a regular basis, yet others supply static data intermittently. In this latter scenario, the protections are only slightly more useful than a password alone. Our advice is to stick with a supplier who can show that their solution gets put through regular third-party security audits. It's one thing to built protection technologies, and another to do it right. Yet another topic....

An Example of Poor Two-Factor AuthenticationI recently performed an audit of a company’s remote access VPN that used two-factor authentication, and the end-result was a bit disappointing. In their case, they integrated two technologies — an SSL VPN and a cloud-based second-factor service provider. Nothing wrong with either solution, but together they only come close to a suitable and useful result. This worked by using a phone and the user’s credentials. Employees would go home, log in to the VPN and supply their username/password combination and a passcode they could get from their phone. This out-of-band mechanism was suitable, but once they entered their credentials they never had to do so again. Thus, we’d find users would login and stay connected for weeks at a time. This then becomes a very tantalizing opportunity for an attacker to penetrate an organization. Remember Target? Attackers came in through a smaller company. Remember that LPBs really don't provide any protection at all. Constant, authenticated, open VPN connection from home to work. Not good - even if the termination is in fact inside the firewall. Doesn't matter - what the user has access to does, and usually it's more than nothing.

Good, effective two-factor authentication can be extremely difficult to bypass. There are far fewer resources available on strong 2nd factor implementations than on proper password use, but this is changing as are a number of things related to standardized 2nd factor tokens. We can only advise you to do a little homework and ask some questions, or give us a call and we'll do what we can to help. But don't forget how many people don't really know - you’d be surprised how many security practitioners” with multiple certifications miss these simple concepts.But yet, there’s more…So let’s say our PM had two-factor authentication, and he took his key with him to bed. (Odd, I know.) The attacker can still get into the box and see everything that took place — that means the keys associated with the encrypted files (i.e., the keys needed to decrypt to plaintext) because they were in memory if only for an instant. Turns out, our attacker has fairly advanced software and is able to walk through memory and steal these keys. Because of that, the attacker has the keys and can download the archive and open all the files. In this case, the second factor could inhibit less capable attackers, but still probably not stop someone specifically out to get data from a company.What else can we do here? There are a couple things. The keys need to be different for every file and cryptographic operations should be done somewhere else — somewhere secure.

Cryptographic Offloading — With cryptographic offloading, decryption takes place elsewhere, in a more secure environment. If the file was offloaded to another device and decrypted there, the decryption keys would never be exposed on the compromised host. While the attacker could comb memory and take the plaintext content of the opened files, he’d have to find a way to steal in-memory data from every source application. That’s yet again harder than stealing a single key and applying it to PowerPoint files, Word files, .PDF files, AutoCAD files, and PGP-encrypted email. It gets much more difficult — there's still some data exposure, but now we require our attacker to be much more capable. Sometimes that’s enough.

Ephemeral Keys — This topic received a bit of press after the Snowden leaks, specific to SSL. The concept here is that so-called “master” keys used to protect server-based SSL certificates were being acquired by federal authorities and as a result they were able to take previously recorded encrypted Internet traffic and recover the plaintext material. This is because the sessions keys used to encrypt the data were derived from these “master” keys. Ephemeral keys are completely independent and don’t suffer this fate.

This end result was a default behavior as a result of the priorities in how SSL clients connected to SSL servers. When two computers wish to negotiate a secure session, they offer a set of algorithms in prioritized order for the other side to consider. The highest priority “match” is used, and ephemeral key generation wasn’t a high priority for a number of typical configurations. That has since changed (and it should have been the default to start with, as more often than not there is no reason not to do it).

“That’s never going to happen to me…”Ephemeral keys insure that the materials are completely independent of the “master” keys so when compromised, or acquired through legal means, the session information remains protected. Since session keys are transient and thrown out, but also held in somewhat isolated systems, no court order is going to get those (except in extremely strange circumstances, though I’ve never heard of such a thing).In our case, we’re looking to apply similar concepts to our PM’s files — independent keys for each file, and, in a more perfect world, keys that change every time the file is opened and closed (decrypted and re-encrypted). Ask your vendor what they do and how they manage their keys.Summing it UpWe’ve only started to scratch the surface, though it’s my hope I’ve at least provided some food for thought and encouraged further independent investigation on these topics. It’s always important to properly apply technology, but security is a bit more sensitive to misapplications because it cannot suffer a single weakness or else it risks someone having a way to get through, making all protections ineffective.In closing I wanted to offer some guidance on selecting a vendor and a starting point on where to look for effective file protections. With some luck and with the information I’ve presented, I hope almost anyone will have the tools necessary to find and properly deploy an effective file protection solution.Qualifying a Vendor

Make sure your vendor has qualified practitioners in development. Certifications are fine, but I imagine you understand the realities of real-world experience. Hold them to it.

Insight — If your vendor doesn’t understand how to protect an enterprise, they can’t tell you if their product is right for you. They must have the same insight on security that you have on IT, and be able to apply these concepts to new dynamics on the fly.

SSDL — Ask about their Secure Software Development Lifecycle model. Those that invest will be proud and will tell you, others will have little to say. Keep them honest — a vendor without a secure engineering methodology can’t realize effective protections without vulnerabilities.

Auditing — Find out when they last had a third-party security audit, and when they intend to perform their next one. This isn’t a substitute for an SSDL; both are required. They may not want to give you much data, and doing it right is expensive, so be patient, but make sure they have a plan and commitment to do it on a regular basis.

Choosing a Solution

For road warriors, look into Full Disk Encryption. Hardware is lost all over the world every day, and if you’ve been lucky enough to avoid that, address it before your luck runs out. If you can do it, go with self-encrypting drives and a suitable enterprise management solution. Never forget that FDE ONLY protects against physical device access, nothing more. (BitLocker, Opal)

To protect against exposure to cloud vendors, consider one of the larger vendors that focus on cloud collaboration integration. They will be on the cloud provider’s partner or market pages. Take care you don’t expect them to protect against other vectors – they often don’t. (Boxcryptor)

If your organization regularly exchanges relatively sensitive data like our PM, look for a fully-featured file protection solution. There are several good options out there with many features. (Egress Switch, WinMagic)

For highly sensitive secrets or large organizations with very little control over data flows, look for a solution with extensive tracking capabilities. These often come with in-depth collaboration policies for sharing and data usage reports. There are a couple mature products to choose from. (WatchDox)

For the most sensitive data, that which puts your entire business at risk if disclosed, find a file protection solution with integrated Digital Rights Management. These vendors use secure access containers and include very strict access controls. (FileOpen)﻿